How many employees would dare to sit at their desk and use their PC to surf internet porn, download the latest number one hit from Kazaa or play an online game of poker? It is fair to say that probably not many (although you could argue that one instance is still too many).
But ask how many employees would perform these same activities in the comfort of their own home using their company laptop and the figure would rise sharply. In fact 42% of laptop users surveyed in the European ‘Laptop Liabilities’ research admitted that they had visited adult content, hacking sites and even worse peer-to-peer.
As with company cars and mobile phones, the distinction between who owns the item and who uses it has been eroded to the point at which employees regularly view a corporate laptop as their own property, to be used as they wish. This can be supported by the statistic that shows one in five have no idea who actually uses their laptop outside of work and for what purpose. Yet unlike a car or a phone, a company cannot keep a monthly track of how the laptop is being used, organisations are subsequently oblivious to the non-work activities until it is too late.
IT security would not be such a huge problem for IT managers if the corporate network was easily contained and protected. But the reality is that most organisations feature a growing band of workers that are no longer based in the office. Mobile working is on the increase, especially as more employers release the productivity benefits it brings. In 2002, the number of European mobile workers stood at 80.6 million and analyst group IDC anticipates that this will grow to 99.3 million by 2007.
Therefore, employers must broaden their IT security policy to take into account changing working practices and make sure that they have safeguards in place – such as an acceptable internet usage policy – to protect every corner of the company from emerging threats.
One of the key challenges for CIOs is raising awareness amongst workers of the dangers mobile working presents. According to the European Laptop research, 86% of corporate laptop users admitted to downloading software and other media, many of which violates copyright laws. Employees therefore need to be educated on the implications of their actions. Worryingly for IT managers, only one in ten expressed concern that their company could face prosecution for breach of copyright and only 15% of employees were worried about the potential risk of personal prosecution.
However such activities do not appear to be performed out of malice – it is fair to assume that in most cases, employees would use their own computer if they did not have a company laptop to hand. However the current level of ignorance surrounding security risks such as spyware (software that covertly gathers information about a user and transmits this to an unknown individual or third party) means that employees are putting their companies in a vulnerable position as well as risking their own confidential information.
Websense’s Laptop Liabilities research found that 93% of employees using laptops did not understand the threat of spyware despite the dangers it presents in recording keystrokes and password information. Most users confused the term with adware – non-malicious pop ups – therefore supporting the theory that laptop users are just simply naпve to the threats.
Clearly, many employees underestimate the damage their seemingly innocent Internet activities can incur. By accessing unprotected sites, the laptop user is actually helping the hacker spread malicious code – such as Trojan horses, viruses and spyware – across company servers when the laptop re-enters the server. The first indication an IT manager will usually receive that a laptop has been used for unauthorised activities is when malware or a virus infiltrates the IT infrastructure and starts infecting other machines. In the worst-case scenario, if spyware infects the network and there is nothing in place to detect and stop back-channel traffic – all manner of company and personal/ confidential information can be lost.
Employers therefore need to ensure that employees strictly adhere to any formal policies in place. The European Laptop Liabilities report found that half of these companies surveyed manage employees’ internet access on corporate laptops, but only a quarter enforce these polices physically and almost a third simply rely on employee compliance to written policies.
As the report revealed, ignorance is bliss for most employees. Whilst education is vital, automation is always the best option in ensuring safer surfing both in the office and at home. If most employees understood all the risks, they’d never want to proactively invite these unwanted visitors into their office or their home.